InfoSec LAB

Gofer_Web

Created: 3 min read

Web

Nmap discovered a web server on the port 80 The running service is Apache httpd 2.4.56

Webroot The organization appears to provide a designing service for website

The Team section showcases the system users that I have enumerated through the Samba service

While the Contact form is present, it doesn’t appear to be functional

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/gofer]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://gofer.htb/FUZZ -ic -e .txt,.php,.html
________________________________________________
 
 :: Method           : GET
 :: URL              : http://gofer.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .txt .php .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
[Status: 200, Size: 29380, Words: 7647, Lines: 622, Duration: 89ms]
    * FUZZ: index.html
 
[Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 89ms]
    * FUZZ: .html
 
[Status: 200, Size: 29380, Words: 7647, Lines: 622, Duration: 87ms]
    * FUZZ: 
 
[Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 2637ms]
    * FUZZ: .php
 
[Status: 301, Size: 307, Words: 20, Lines: 10, Duration: 86ms]
    * FUZZ: assets
 
[Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 85ms]
    * FUZZ: .php
 
[Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 85ms]
    * FUZZ: .html
 
[Status: 200, Size: 29380, Words: 7647, Lines: 622, Duration: 87ms]
    * FUZZ: 
 
[Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 85ms]
    * FUZZ: server-status
 
:: Progress: [882188/882188] :: Job [1/1] :: 468 req/sec :: Duration: [0:31:58] :: Errors: 0 ::

Nothing found

Sub-domain / Virtual host discovery

┌──(kali㉿kali)-[~/archive/htb/labs/gofer]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.gofer.htb'  -fc 301
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.11.225/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.gofer.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response status: 301
________________________________________________
 
[status: 401, Size: 462, Words: 42, Lines: 15, Duration: 87ms]
    * fuzz: proxy
 
:: Progress: [114441/114441] :: Job [1/1] :: 465 req/sec :: Duration: [0:04:07] :: Errors: 0 ::

Found a virtual host at proxy.gofer.htb and it returned 401

I will first appended it to the /etc/hosts file on Kali for local DNS resolution

proxy.gofer.htb

The virtual host, proxy.gofer.htb is locked behind the basic HTTP authentication This was mentioned in the mail found in the Samba server earlier.

The author suggested that that access control is achievable via the Apache’s directive feature, <Limit> While it is a great feature, it could easily be misconfigured

Interactive Graph View

Backlinks